A joint advisory from the National Cyber Security Centre has detailed how the UK and its allies have cracked Snake, a Russian malware used by the FSB. Operating as Britain’s foremost intelligence agency, GCHQ worked with the FBI and similar agencies in Canada and Australia to foil one of Russia’s most effective espionage assets for the last two decades.
With U.S. & international partners, we released a joint cybersecurity advisory on Snake malware, which is considered the most sophisticated cyber espionage tool designed and used by #Russia’s Federal Security Service. Here’s how to protect your networks: https://t.co/ppKUoJRQp0 pic.twitter.com/MVkNzZXSTb— Cybersecurity and Infrastructure Security Agency (@CISAgov) May 9, 2023
The joint report comes with a rundown of the technical details of Snake, how it works and how networks can fortify themselves against its attacks. NCSC Director of Operations Paul Chichester said: ‘The advisory lifts the lid on a highly sophisticated espionage tool used by Russian cyber actors.’
Snake, BRICs and Fortuitous Timing
The Snake malware was a favourite of Russia’s Centre 16, a component of the FSB, for over twenty years. It is believed to have been designed in-house by the FSB for long-term intelligence gathering.
While it has been a long time coming, the news dropped amidst chatter concerning the BRICs and their rising economic influence. If the BRICs bloc field a viable alternative, it could create a rival for the U.S. dollar and start a chain reaction of de-dollarisation in other emerging economies.
The power of the dollar relative to other currencies is tracked by the DXY chart, specifically the euro, yen and pound sterling. All three currencies have had a volatile relationship with the USD in the past few months.
Exposing the Snake malware is just a small bout in long and large-scale posturing between Russia and Western powers, with no telling the effect it will have. It does solidify the GCHQ’s reputation as one of the most effective cyber security watchdogs in the world, a necessity as the UK remains the largest growing tech economy in Europe.
Snake’s Origins and Turla Group
While the details aren’t certain, the earliest form of Snake appeared in 2003 under the name Uroboros – the word for imagery where a snake eats its own tail. While the malware network would become widely known as Snake, Uroboros is still used for related malware as is Turla, another name used by the espionage groups that used the malware and are suspected to be state actors or at least subsidised by the state. Turla has gone by many names.
Given Turla’s secrecy and their likely FSB connections, discovering their many names was half the battle. In the joint advisory, authorities identified what they called ‘the Turla family’ which included other malware like Carbon/Cobra and Chinch/ComRAT. Both were derived from Snake’s code base and believed to have been developed by the same conspirators – the FSB and Turla.
Snake’s Targets and Perseus
The Snake malware was evidently one of the FSB’s most effective tools. All devices infected by Snake formed a peer-to-peer network without the knowledge or consent of the device owners, compatible with all popular OS. The FBI has said that Snake targeted over 50 countries, including US journalists, education sectors and NATO members’ computer hardware.
As part of their retaliation efforts, the joint intelligence agencies created a tool dubbed Perseus. It tricked devices infected by Snake into overwriting itself partially, enough to render the malware inert. They stress that computers can still be re-infected. CISA has issued a joint advisory here, which details how the malware works and how networks can protect themselves.
While state security will certainly use this opportunity to protect themselves against Snake malware reinfections, it’s up to individuals to educate themselves on this cyber security breakthrough and shore up defences. Businesses should especially take note of the advisory report and make sure they are protected.